- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2019 08:50 AM
Issue:
Certain change managers have been known to abuse the approval_admin role to approve requests outside of the Change table, and definitely outside of their role as Change Manager. Despite having Self-Service Delegate creation in our Catalog, Approvals are sometimes needed to push changes through when Approvers are not in-office.
Request:
Is it possible to create a custom role that has similar privileges as approval_admin, but only applies to the Change approvals?
I'm aware that an ACL is necessary to accomplish this request. However, when creating the ACL, I'm not sure what restrictions need to be in place before it will work properly.
Solved! Go to Solution.
- Labels:
-
Best Practices
-
Change Management

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2019 08:46 AM
Hi,
Yes, you can create a new custom_approval_admin role by going to the Roles table. After it's submitted, in the related list you'll find Contains Roles, there you can put approval_admin role, and it would act similar to standard approval_admin role. In case, you need to define privileges for this new role on certain tables, you can configure ACL's for it.
Hope this helps.
Please mark helpful or correct based on impact.
Thanks.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2019 08:46 AM
Hi,
Yes, you can create a new custom_approval_admin role by going to the Roles table. After it's submitted, in the related list you'll find Contains Roles, there you can put approval_admin role, and it would act similar to standard approval_admin role. In case, you need to define privileges for this new role on certain tables, you can configure ACL's for it.
Hope this helps.
Please mark helpful or correct based on impact.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2019 08:53 AM
Hi Narendra,
Thank you for the response. I've tried doing as you suggested, and though it did allow a user with the new custom role to approve Change Request approvals, it is still also allowing them to approve RITM approvals as well. This second part is what I'm trying to restrict. You mentioned adding ACLs to other tables, but I'm not sure if that would affect other roles, or the itil role in general. Could you or anyone else provide more insight as to how I would accomplish my goal?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2019 09:00 AM
Hi,
If you're creating an ACL to restrict custom_approval_admin to only approve change request and not CR, that won't affect any other places in the instances or the itil roles in general. You could try it.
Hope this helps.
Please mark helpful or correct based on impact.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2022 12:50 PM
I have created a custom role and a new ACL below to restrict the approvals to Change Requests, but the user with the role is still unable to approve the Change Request. I also added it to the role list instead of in the script and user is still unable to approve. Any suggestions?
When they try to right click and approve they get this popup.